132

YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users (www.forbes.com)

submitted 1 week ago by Zerush@lemmy.ml to c/privacy@lemmy.ml

5 comments fedilink hide all child comments

A security researcher known as Brutecat discovered a vulnerability that could expose the email addresses of YouTube's 2.7 billion users by exploiting two separate Google services[^1][^2]. The attack chain involved extracting Google Account identifiers (GaiaIDs) from YouTube's block feature, then using Google's Pixel Recorder app to convert these IDs into email addresses[^1].

To prevent notification emails from alerting victims, Brutecat created recordings with 2.5 million character titles that broke the email notification system[^1]. The exploit worked by intercepting server requests when clicking the three-dot menu in YouTube live chats, revealing users' GaiaIDs without actually blocking them[^2].

Brutecat reported the vulnerability to Google on September 15, 2024[^1]. Google initially awarded $3,133, then increased the bounty to $10,633 after their product team reviewed the severity[^1]. According to Google spokesperson Kimberly Samra, there was no evidence the vulnerability had been exploited by attackers[^2].

Google patched both parts of the exploit on February 9, 2025, approximately 147 days after the initial disclosure[^1].

[^1]: Brutecat - Leaking the email of any YouTube user for $10,000 [^2]: Forbes - YouTube Bug Could Have Exposed Emails Of 2.7 Billion Users

you are viewing a single comment's thread
view the rest of the comments

[-] irotsoma 10 points 6 days ago

Because with stores, the evidence would be missing products. Very easy to see. With bugs like this, a million people could have abused it, or one. Either way that data is likely available to all who want it.

A better comparison is, store posted list of their customer's addresses on the back door. No clue how many people walked by there much less if anyone copied it down.

Problem is that knowing the link between a person's profile and their email now means you know the link between their account and their accounts in many other places. That information could be used to offer the person different prices at stores, attack them for being a minority or activist, to hack their account because their password was leaked from another site that uses that email,or all the other things these cumulative leaks add up to.

this post was submitted on 15 Feb 2025

132 points (100.0% liked)

Privacy

34096 readers

703 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS